131...broken independently by James, Lid?., and Nlederreiter 131 in October 1985. This modified cipher, like the original, is a block substitution cipher that operates on binary messages.

A MODIFICATXON OF A BROKEN PUBLIC-KEY CIPHER

John J. Cade 2 4 Clnn Rd.

Winchester, MA 01890

Abstract

A poss ib le publ ic-key c iphe r is descr ibed and i t s s e c u r i t y a g a l n s t

var ious c r y p t a n a l y t i c a t t a c k s is considered.

1. In t roduc t ion

I n t h i s paper , we desc r ibe a poss ib le public-key cipher . I t 1s a

modif icat ion of the publ ic-key c ipher t h a t was proposed by t h e a u t h o r

[2] i n Apri l 1985, was broken by Berkovl ts [l] i n August 1985, and was

broken independent ly by James, Lid?., and Nleder re i te r 131 i n October

1985.

This modified c i p h e r , l i k e the o r i g i n a l , i s a block s u b s t i t u t i o n

cipher t h a t o p e r a t e s on b inary messages. With t h i s c ipher , for a s u i t -

a b l y l a r g e value of n, n-blocks of binary d i g i t s a re i d e n t i f i e d w i t h

elements of the f i n i t e f i e l d GF( 2"), and elements of GF( 2") a r e enc i -

phered by means of a permutat ion of GP(2") whose publ ic d e s c r i p t i o n Is

a s a polynomial f u n c t i o n on GF(2n) which has a very high degree but

only a few terms.

we cons ider s e v e r a l poss ib l e c ryp tana ly t i c a t t a c k s aga ins t the

cipher. The most obvious a t t a c k c o n s i s t s of solving the polynomial

equations of h igh degree over GF( 2") which r e l a t e corresponding n-blocks

of p l a i n t e x t and c i p h e r t e x t . Another poss ib le a t t a c k c o n s i s t s of so lv-

ing the system of polynomial equat ions of high degree over GF(2") t h a t

expresses the pub l i c key f o r the enciphering permutation i n terms of

s ec re t t rapdoor Information about t h i s permutation.

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPT0 '86, LNCS 263, pp. 64-83, 1987. 0 Springer-Verlag Berlin Heidelberg 1987

65

For each c ryp tana ly t i c a t t a c k t h a t we consider, vie give an est l -

mate of the amount of computation required a s a function of the c i -

pher 's block-length n. The est imates f o r a l l but one of the attacks

a re based on f a i r l y comDlete and sa t i s fy ing analyses of the a t t a c k s i n

question. Unfortunatley, however, for the a t tack by solving the system

of equations t h a t expresses the publlc key i n terms of trapdoor lnfor-

mation, the e s t ima te is based only on ind i r ec t evidence obtained by an

ana lys i s of a s l m D l e r r e l a t e d system of equations. This a t t ack w i l l

require fu r the r study, perhaps with the a id of a computer a lgebra sys-

tem. On the basis of the est imates of the amounts of computation re-

quired by the var ious c ryp tana ly t i c a t t acks , it appears t h a t the cipher

provides adequate s e c u r i t y with a block-length of n 2 150. This paper is organized a s follows. I n section 2 below, we de-

scribe our modified cipher. I n sect ion 3, we prove tha t the enclpher-

lng and deciphering permutations used i n the cipher are indeed mutually

inverse permutations. I n sec t ions 4 - 6, we describe various methods

of cryptanalyzing the cipher and we estimate the amounts of Computation

required by these methods. F ina l ly , In section 7, we summarize these

estimates and use them t o determine a sui table block-length f o r t he

cipher.

2 . Description Of the ClDher

O u r cipher i s designed t o encipher binary messages. Each such

message is encibhered one n-block a t a time, for a specified block-

length n, by s u b s t i t u t i n g f o r each plaintext n-block I a corresponding

ciphertext n-block y which is g i w n by y = P ( x ) , where P Is a Certain

kind of permutatlon of the set of a l l binary n-blooks.

Because of the p a r t i c u l a r form of the enciphering permutations

used i n the cipher , the block-length n must be an integer f o r which

there e x i s t i n t e g e r s 6, Y, and /3 such tha t n = 2 8 and 6 = 2y = 38- Note t h a t an i n t e g e r n s a t i s f i e s t h i s requirement I f and only If n Is

66

a multiple of 12. I n the following, n, 8, y, and are understood t o

be a s ju s t described.

For the operat ion of t he cipher, the s e t of a l l binary n-blocks

must be Iden t i f i ed i n some specif ied way with. the f i n i t e f i e l d GF(2").

Tbsn the public d e s c r i p t i o n of the enciphering permutation P c o n s i s t s

of a 16-tem polynomial formula f o r P having the form

The c o e f f i c i e n t s Pgh in t h i s formula are publicly revealed elements of

GF(2") which c o n s t i t u t e the public key f o r P.

Although P is a polynomial function of very high degree, P( x) can

nevertheless be computed q u i t e e f f i c i e n t l y for each x E GP(2").

way t o do t h i s is t o use formula ( 2 . 1 ) wri t ten i n the form

O m

and t o compute the powers of x of

by doing k successive squarings.

t o t a l of jus t (11/12 In squarings,

i n GF(P).

k the form 2 spearing i n t h i s formula

Computing P(x) t h i s way r e q u i r e s a

2 0 multiplications, and 15 add i t ions

P(x) can ba computed even more e f f i c i e n t l y by using m a t r i X - V e C t O r

mult lpl lcat ion to compute var ious quan t l t i e s which a re the values of

l i n e a r funct ions on GF( 2"), where GP( 2") is regarded a s a vector space

over Its amallest sub f i e ld GF(2). To compute P(x) t h i s way, first

compute the q u a n t i t i e s uo, .. . , u3 and vl, Vz1 v3 given by

% = & Pgh x ? ~ ~ + ' , f o r h = 0, ..., S=

and vh = x2Yh, t o r h = 1, 2 , 3. Each of these quan t i t i e s l a a GP(2)-

l i n e a r funct ion of I, and so can be computed by doing a s ingle matrix-

vector mul t ip l i ca t ion involving an n x n matrix over GF(2) and an n-

element w c t o r over GF( 2 ) . Then compute P( x) by using the formula

67

Computing P(x) t h i s way r e q u i r e s a t o t a l of j u s t 7 matrix-vector multi-

p l i ca t ions over GF( 21, together with 4 multiplications and 3 a d d i t i o n s

i n GF( 2").

For the cons t ruc t ion of enciphering permutations, GF(2") and Its

subfield GF(2') are regarded as vector spaces, of dimensions 4 and 2

respect ively, over t h e i r common subfield CP(2y).

phering permutation, one f i r s t chooses a t random two secret bases al,

...* a4 and bl* ..., b4 of GF(2") over GP(2y).

basis el , e2 of GF(26) over GP(2y).

s ec re t and can be chosen t o be whatever is most convenient. The se-

quence a l , ..., 84' bl, ..., b4, e l , e2 formed by these three bases

aons t i t u t e s secret trapdoor Information about an enciphering pennuta-

t i on P t h a t i s s p e c i f i e d by t h i s sequence. We rill c a l l t h i s sequence

a trapdoor sequence f o r the permutation P.

To construct an enci-

One also chooses a

This last basis need not be kept

This permutation Is constructed as follows. F l r s t , l e t 91 and S2

be the GF(2?r)-llnear func t ions from GF(26) Into GF(2") such t h a t S,(ej)

= a J and 3 ( e ) = aj+2, for j = 1, 2. Next, l e t T I and T2 be t he GF(2

l i n e a r funct ions from GF(2n) i n t o GF(2&) such that

Y

2 3

f o r j = 1, 2

Ti(bJ) = { e J ' 0, f o r j = 3 , 4

and

Tz (bJ ) = 0, f o r j = 1, 2 i CJ-2' for j = 3, 4.

6 Final ly , l e t M be the permutation of CP(2') given by

(2.2) M(X) = X2 +'. Then the enciphering permutation P specified by the trapdoor sequence

a l , ..., a4* bl, ..., b4, e l * e2 Is the function from GF(2") i n t o

CP( 2") given by

P(x) = S1MT1(I) + S2MT7( X). ( 2 . 3 )

68

Here and in the following, we denote the composition OZ two or more

functions by the juxtaposition of their symbols. Thus, for i = 1, 2,

SlHTi(X) = Si~MoTi(x) = SI(M(Tl(X))).

we note that the enciphering permutation P just described does

not determine a unique trapdoor sequence whiah specifies it. Indeed,

It can be shown that for each enciphering permutation, there are a very

large number of trapdoor sequences which specify it.

For the public description of the enciphering permutation P de-

scribed above, P must be expressed as a polynomial function. To do

this, first the functions Si and Ti are expressed as polynomial func-

tions. The functions Si are given by the polynomial formulas

(2.4) Si(x) = al0x + allx 2 y , where the coefficients aik are the elements of CF(2") uniquely deter- .

mined by the system of linear equations

aioej + aiiej zY = si(ej), for j = 1, 2.

The functions Ti are given by the polynomial formulas

where the coefficients bik are the elements of GF(2") uniquely deter-

mined by the system of linear equations

Once the elements aik and bik have been determined, the enciphering

permutation P Is given by the polynomial formula

efflcients Pgh are given by

where bl,-l = bi,3, for I = I, 2.

(2.1), where the co-

We note that this polynomial formula for P can be derived by sub-

stituting the polynomial formulas (2.41, (2.51, and (2.2) for the func-

tions .Sl, Ti, and k! into formula ( 2 . 3 ) and expanding the resulting

69

erpression f o r P ( x ) as a polynomial i n I, taking Into account t h a t re-

peated squarings are automorphlsma of GF(2"), and using the i d e n t i t y

3" = x t o reduce the degree of t h i s polynomial t o l e s s than 2". we

alao note that the c a e f f i c i e n t s alk and bik in the polynomial formulas

(2.4) and ( 2 . 5 ) f o r the funct ions S1 and Ti m u s t be kept s e c r e t because

a trapdoor sequence f o r P can be computed from them qui te easily.

To decipher a message which has been enciphered us ing the enc i -

phering permutation P, each ciphertext n-block y is replaced b y the

corresponding p l a i n t e x t n-block x which is given by x = P ' l ( y ) , where

P - l is the Inverse of the permutation P. To obtain a formula f o r the

deciphering permutatlon P'l, one must know a trapdoor sequence al, ..., a4, bl, ..., b4, el, e2 f o r p .

t h i s trapdoor sequence as follows.

functions from GP(2') i n t o GF(zn) such that Ul(ej) = bJ and U 2 ( e j ) =

The permutatlon P'l 1s spec i f i ed by

Let U1 and U2 be the G F ( 21()-linear

Y f o r j = 1, 2. Let V1 and V2 be the CF(2 )-l lnear funct ions from bj+2 CF(2") i n t o GF(2') such t h a t

V l ( a j ) = ej, for j = 1, 2 I 0 , for 3 = 3, 4

and

V 2 ( a j ) = 0, f a r j = 1, 2 1 eS-2, for j = 3, 4.

Final ly , l e t M-' be the inverse of the permutation M of GF(2'}, which

means t h a t M'' i s given by

M ' ~ ( , Y ) = yE, (2.7)

where E = 2@-1(228 + 2@ - 1). Then the deciphering permutation P" 1s

given by

P'l(Y) = U I H - l V l ( Y ) + U2M"V2(y) ,

Like the func t ions % and T i , the functions Ui and Vi can be ex-

pressed as polynomial funct ions.

polynomlal formulas

The functions Ui are given by the

70

where the c o e f f i c i e n t s Cik a r e the elements of GF(2") Uniquely d e t e r -

mined by the system of l inear equations cioej + ci le j 2"/ = v1(e j ) , f o r j = 1, 2.

T h e functions Vi are given by the polynomial formulas

(2.10)

where the o o e f f i c i e n t s dik are the elements of GP(2") uniquely d e t e r -

mined by the s y s t e m of linear equations

T h e coe f f l c i en t s cik and dik in the polynomial formulas ( 2 . 9 ) and

(2 .10 ) f o r the func t ions Ui and Vi can be regarded as a sec re t private

key f o r the deciphering permutation P- l .

P"(y) can be computed f o r each Y E GF(2") by using formula (2 .8)

together r l t h the polynomial formulas (2 .91 , (2.101, and (2.7) f o r the

functions U i , Vi , and M-'. An e f f i c i e n t way of doing t h i s l a based on

the following formula :

where dl ,-1 = d i , 3 and ol = n/12.

t h i s formula, first compute the q u a n t i t i e s z1 and z2 given by zi =

M - l V l ( ~ ) by using the above formula and computing the powers of y of

the form y2

Then comDute the q u a n t i t i e s U i ( z i ) by using the polynomial formulas

( 2 . 9 ) fo r the func t iQns Ul and again computing powers of the zi by re-

peated squarlng. F i n a l l y , compute p-'( Y) by adding U1( zl) and U2( z 2 ) .

computing P-'( y ) t h i s nay r equ i r e s a t o t a l of just (3/2)n - 1 squarings,

30 m u l t l p l i c a t i ~ n s , 2 d i v i s i o n s , and 21 addltions i n GF(2").

To compute P - l ( y ) e f f i c i e n t l y using

k appearing i n t h i s formula by doing k successive squarings.

P"(y) can ke cqmputed even more e f f i c i e n t l y by making use of

71

matrix-vector m u l t i p l i c a t i o n . To compute P - l ( 9) t h i s way, first com-

pute the q u a n t i t i e s ti, ui, and vi for I = 1, 2 , where these q u a n t i t i e s 26 -1 , and v i = V i ( Y ) are given by ti = V , ( Y ) ~ ~ ~ - ~ , ui = v I ( y ) 228-1

Each of these q u a n t i t i e s I6 a GF(2)-linear function of y, and so can

be computed by doing a s i n g l e matrix-vector multiplication over GF(2).

Next, compute the q u a n t i t i e s w1 and w2 given by w1 = M'lVl(s) =

tluI/vI.

Ui(wi) Is a GF(2)- l inear funct ion of wi , and so can be computed by

doing a s ingle matrlx-vector mult lpl icat lon over GF( 2 ) . Fina l ly , com-

pute P"( y ) by addlng U 1 ( w l ) and U 2 ( v r 2 ) .

requires a t o t a l of j u s t 8 matrix-vector multlpllcations over GF( 2) , together with 7 m u l t i p l i c a t i o n s , 2 divisions, and 1 addi t ion I n GF(2").

For the s e c u r i t y of the cipher, the trapdoor sequences used should

Then compute U 1 ( w l ) and U 2 ( w 2 ) . For each I , the q u a n t i t y

Computing P"( Y) t h i s r a y

be such t h a t a l l the c o e f f i c i e n t s pgh, aik, blk, elk, and dik In t he

polynomial formulas (2.11, (2.41, (2 .51, (2.91, and (2.10) f o r t he

functions P , Sl, T i , Ul, and Vi are nonzero. Y

I t can be shown that,

given any basis el, e2 of ~ ~ ( 2 s ) over GF(2 1, i f elements a l , ..., a49

bl, . . . , b4 are chosen a t random from GF( 2"), then it is v i r t u a l l y

ce r t a in t h a t a l , ..., a 4 and bl, ..., b4 will both form bases of GF(Zn)

over GP(ZT) and t h a t the sequence a l , ..., a4, bl, ..., b4, el, e2 w i l l

form a trapdoor sequence t h a t s a t l s f l e s the securi ty requirements j u s t

stated.

3. I n v e r t i b i l i t y of the enciphering and deciphering permutations

We now show t h a t the enciphering and deciphering permutations

given by formulas ( 2 . 3 ) and (2.8), respectively, are indeed mutually

Inverse permutations of GF( 2").

Since the i n ~ ~ t l b i l i t y of these functions depends on the lnve r t -

i b i l i t y of the funct ion M given by formula ( 2 . 2 1 , we f i r s t i n d i c a t e

why t h i s funct ion is a permutation of GF(2 ) and why M" is given by

formula (2.7) .

8

U s i n g the Euclidean algorithm and the r e l a t i o n 6 = 3g,

72

it can be ca lcu la t ed t h a t g ~ d ( 2 ~ - 1, 2g + 1) = 1.

numbers 6 s a t i s f y i n g the congruence ( 2 8 + 1 ) E C 1 mod(2' - 1).

any WsitLve s o l u t i o n of t h i s congruence, then it follows from the

i d e n t i t y x2

M( I)' =

GF(26), and M-' is given by M"(y) = ye, where E is any pos i t i ve solu-

t i on of the above congruence. I t follows that U - l is given by formula

(2.7) provided t h a t the number E appearing i n t h i s formula satisfies

the condition just given. The Euclidean algorithm oalculat ions men-

tioned above can be used t o f ind a l l the solutions of the Congruence

above. Of these s o l u t i o n s , the least posit ive one is exact ly the num-

ber E = 2@-1(22g + 2@ - 1) appearing i n formula (2.7).

indeed given by formula (2.7) .

Hence the re ex i s t

If E 1s

6 = 1, which is s a t i s f i e d by a l l nonzero x E GF(2'1, that

= x f o r a l l x E GF(2'). Thus U is a permutation of

Thus I4-l 1s

P m ~ o s i t l o n . The enclnhering function P given by formula (2.3

is a permutation of GF(2") and the inverse of t h i s pennutation is the

deciphering func t ion given by formula (2.8).

Proof. L e t Q denote t h e function on CF(2n) defined by formula

(2.8). To prove the proposi t ion, it suff ices t o show t h a t QP(r) = x

fo r a l l x EGF(P). Let al, ..., a4, bl, ..., b4, el, e2 be a t r ap - Y door sequence f o r P t h a t s p e c i f i e s the GF(2 ) - l inear functions Si, Ti,

U i , and Vi appearing i n formulas (2.3) and (2.8).

the G F ( 2 Y ) - m b s ~ c e s of GF(2") spanned by bi, b2 and by b3, b4, respect-

i v s l y , and l e t YI and Y2 be the GF(2y)-subspaces of GF(2") spanned by

al, a2 and by a3, a4, respect ively. Then GP(2") = X1 Q X2 = Y l @ YE.

Now suppose that I E CF(2n) I s given, and l e t x1 and x2 be the Unique

elements of X1 and X2, r e spec t ive ly , such that x = xl + x2.

Let X1 and $ be

Then, for

1 = 1, 2,

TI(^:) = T i ( ? + 3 ) T i ( 3 1 + T I ( ] c ~ ) = T i ( % ) ,

where the l as t e q u a l i t y holds because T1(+) = T2(X1) = 0 by the def-

i n i t i o n of the func t ions Ti. Also Ti maps Xi one-to-one onto GF( 2 ) , 6

73

M Is a permutation of GF(2'1, and Si maps GF(2 6 1 one-to-one onto Yl,

so SiMT1 maps Xi one-to-one onto Yi .

have P ( x ) = yl + y2,- with y1 E Yl.

t ha t , f o r I = 1, 2,

Thus, l e t t i n g yi = SiHTl( q), we Next, t o compute Q,P(X). w e note

V I P W = V I ( Y 1 + 9 2 ) = V l ( Y 1 ) + V i ( Y 2 ) * V 1 ( Y i ) ,

where the las t e q u a l i t y holds because V1(Y2) = V2(Y1) = 0 by the def-

i n i t i o n of the func t ions Vi. Hence

W ( X) = UIM-lVl( Y1) + U2M-lV2( Y 2 )

= UIM-lVISIMTl ( Xl ) + U2M"V2S2MT~( 9 ) . A l s o both VISi and M'lM a r e the i d e n t i t y map on GP(2'), and UiTi is

the I d e n t i t y map on Xi, SO UIM'lVISIMTI(~I) = xl.

x €GF(2"), Q P ( x ) = x1 + 5 = X.

and P" = Q. Q.E.D.

Hence, f o r a l l

Thus P is a permutation of G P ( 2"),

4. Crntanalysis by so lv ing the equation P(x) = Y

I n t h i s s e c t i o n and the next two sections, vie describe some pos-

s i b l e methods of c r y ~ t a n a l y z i n g our cipher by using public information

about the enciphering permutation. For each method t h a t we consider ,

we give an est imate of t he amount of computation needed.

The f i r s t c r y b t a n a l y t l c a t t ack tha t we consider cons i s t s of solv-

ing a given c i b h e r t e x t message, enciphered using a known enciphering

permutation P I by so lv ing the equation P ( x ) = y f o r each c iphe r t ex t

n-block y t o f i n d t h e corresponding plaintext n-block x. We consider

two methods of so lv ing the equation P(x) = y. The first method is an

exhaustive search procedure, while the seoond method I s a lgebra i c i n

nature.

The exhaustive search procedure that we consider f o r aolving the

equation P(x) = y depends on the eas i ly proved Iden t i ty P(wz) =

M(w)P( z ) , which holds for a l l w E CP(2y) and z E GF(2").

t h i s i d e n t i t y , i f a n o n ~ e r o z E GF(2") can be found such t h a t

y/p( z ) E CP( Zy), then t h e desired n-block I such t h a t P(X) = 9 1s given

I n vier of

74

by x = E- l (y /P ( z ) ) z .

scribed i f and only I f ( ~ / P ( Z ) ) ~ ~ = y / P ( z ) .

found by an exhaustive search i n which elements of GF(2") are t e s t e d

one-by-one un t i l one Is found t h a t s a t l s f i e s t h i s l a s t condition. A

minimal subset of G F ( P ) t h a t is cer ta in to contain an element z of

the desired kind contains exac t ly one element of each d i f f e r e n t subset

of GF( 2") of the form $ w t : w E GF( 2y), I f 01, where t is a nonzero

element of GF(2"). There a r e approximately 2(3/4)n such subsets of

GF(Zn), so the des i r ed element z can be found a f t e r a t most 2(3 /4)n

t r i a l s . We w i l l regard each t r i a l needed t o find t h i s element z as a

single operation. Then I t f3llows that a t most approximately 2(3 /4)n

operations a re required t o solve the equation P(x) = y by the exhaust-

i v e search procedure j u s t described.

A non7ero z E GF(2") has the property j u s t de-

Such an element z can be

The second method t h a t we consider for solving the equation P(x1

= 9 Is t o regard t h i s equat ion a s a polynomial equation in x and t o

solve t h i s equat ion a lgeb ra i ca l ly . I t appears t h e t the most e f f i c i e n t

way of doing t h i s is t o use the Euclidean algorithm t o compute the

polynomial In x which is t he g rea t e s t common divisor of the polynomials

P(x)- y and x p - x.

P Is a permutatlan of GF(2"), the polynomial P(x) - y has a unique root

x = r i n GF( 2 " ) , and hence has a unique l i nea r f ac to r x - r over n

GP(2").

a l l the l i n e a r f a c t o r s x - a , with a E GF(2").

common d iv i so r of P ( x ) - y and x2

x - r such t h a t x = r Is the desired solution of the equation P ( x ) = y.

Thus t o solve the equat ion P(X) = y, it i s only necessary t o compute

t h i s g r e a t e s t common d i v i s o r . U s i n g the Euclidean algorithm t o do

t h i s , the r equ i r ed number of mult ipl icat ions and divis ions i n GP(2n)

is a t most aaoroximately ( d e ~ ( P ) ) ~ / i ! .

t ion P ( x ) = y can be soloed a lgebra i ca l ly using the method Jus t de-

scribed by doing a t most aparoxlmately 2(11/6)n-1 operations.

To see what t h i s accomplishs, note t h a t , s ince

On the o the r hand, the polynomial x2 - x is the product of

Hence the g r e a t e s t n - x i s exactly the l i n e a r f a c t o r

Thus we conclude t h a t the equa-

75

5. CrYDtanalysis by determinlnR a polynom.4al or r a t i o n a l formula for P"

Next, we cons ide r a method of cryptanalyzing the cipher t h a t con-

sists of de te rmining a formula for the deciphering pe rmuta t im P" by

using pub l i c i n fo rma t ion about the enciphering permutation P. We de-

sc r ibe two formulas f o r P'l t h a t can be determined t h i s way.

formula expres ses P" as a polynomial funct ion, while the second f o r -

mula expresses P'l as a r a t i o n a l funct ion, t ha t is, a s a q u o t i e n t of

two polynomial f u n c t i o n s . we descr ibe how each of these formulas can be

obtained and w e g ive estimates of t h e amounts of camputation needed t o

The f i r s t

do t h i s .

F i r s t , ta ined. I t

func t ion of

P - 9 Y )

we describe haw a polynomial formula f o r P" can be ob-

can be shown t h a t P - l can be expressed a s a polynomial

t h e form

where the c o e f f i c i e n t s "k are elements of GF(2"), the index set K is a

subset of the set € 0 , .. . , 2" - 13 which can be completely s p e c i f i e d ,

and the number of e lements i n the s e t K s a t i s f i e s zn/3 \ K \ 5 2 n/3+2.

This formula f o r p'' can be regarded a s a s y s t e m of 2" l i n e a r equa t ions

which uniquely de te rmines t h e c o e f f i c i e n t s wk i n the formula. By mak-

ing the s u b s t i t u t i o n y = P(x) i n t h i s formula, an equivalent system of

2" l i n e a r equa t ions can be obtained which have the form

Note t h a t t h i s second system of equat ions can be formulated us ing only

publ ic Informat ion about the enciphering permutation p. Since t h e

rank of t h i s second system is the same as the rank of the o r l g i n a l

system, which 5s \If\, and s i n c e \ K \ 4 2", it follows t h a t t h i s second

s y s t e m can be reduced t o a smal le r system formed from it by choosing

any subse t of \ K \ Independent equations. We w i l l assume t h a t such a

smaller system can be ob ta ined without any s i g n l f i c a n t computat ional

e f f o r t , which may w e l l be t he case. Then the determinat ion of t he

76

c o e f f i c i e n t s wk i n t h e polynomial formula f o r P" reduces t o s o l v i n g

t h i s smal le r s y s t e m of equat ions . This system cons i s t s of \K\ equa-

t i ons i n )K1 unhowns, so t o s a lve it r equ i r e s a t most approximately

IK] 3/3 opera t ions c o n s i s t i n g of mul t io l i ca t ions and d i v i s i o n s i n

CF(2").

approximately ( p ) / 3 o p e r a t i o n s t o solve f o r the c o e f f i c i e n t s wk, and

thus t o determine a polynomial formula f o r P-'.

Hence, s i n c e Kl >, zn/3, we conclude that it takes a t most

Next, we d e s c r i b e how a r a t i o n a l formula for P'l can be obta ined .

The r a t i o n a l formula t h a t we cons ider has the same form as t he r a t i o n a l

formula f o r P-l t h a t is ob ta ined by expanding formula (2.8) f o r P"(Y)

as a r a t i o n a l f u n c t i o n of y, making use of the polynomial formulas

(2.9) and (2.10) f o r the func t ions U i and Vi described i n s e c t i o n 2 ,

and exvress ing t h e func t ion M'l by the r a t i o n a l formula M'l(y) = y /y , where 5 = 2@'l( 2*8 + 2 p ) and 7 = 2P- l .

j u s t descr ibed has t h e form P - l ( y) = Q( y) /R( y) , where Q and R are both

nonconstant polynomial f u n c t i o n s , Q ( 0 ) = 0, and R(y) f 0 f o r a l l non-

zero y e CF( 2"). Furthermore, I t can be shown that- Q and R a r e gi-n

by polynomial formulas having the forms

The r a t i o n a l formula for P"

and

where the c o e f f i c i e n t s w ( k ) and w R ( k ) are elements of GF(2"), the

index se t s KQ and KR are s u b s e t s of the set [O, ..., 2" - 13 which can

be comnletely s p e c i f i e d , and the numbers of elements I n the sets Kg

and KR s a t i s f y 2n'3 5 \KQ\ 5 2n'3+3 + 64 and 4 < \ K R \ 6 16. Now i f

the formula P-'(y) = Q ( y ) / R ( y) i s rewr i t ten a s P-'( y)R( y) - Q( y) = 0,

i f t he s u b s t i t u t i o n y = P ( x ) is made, and i f the above polynomial f o r -

mulas f o r the f u n c t i o n s Q and R a re used, then the r e s u l t is the equa-

t i on

Q

77

which holds f o r a l l x E GF(2"). This equation can be regarded as a

system of 2" homogeneous l i n e a r eoustions that are s a t i s f i e d by the

elements wQ(k) and W R ( k ) and that can be formulated using only publ ic

Information about the enciphering permutation P. Conversely, I f a set

of elements w (k) and w R ( k ) of GF(2") forms a nonzero solut ion of t h i s

system of equat ions end I f the functions Q and B on GF(2") are defined

by the polynomial formulas given above, then the function R is not

i den t i ca l ly zero and P'l is given by the r a t iona l formula P"(Y) =

Q(y) /R(y ) f o r a l l y E GF(2") such tha t R ( y ) f 0. Thus a r a t i o n a l for-

mula for P'l can be obtained by fincling a nonzero solut ion of the SYS-

tem of l i n e a r equat ions given above, and furthermore such so lu t ions

ex i s t .

Q

Since the rank of t h i s system of 2" equations is at most

\IfQ\ + \KR\ - I, which i s l e s s than Zn, t h i s system can be reduced t o

a smaller system which has the same rank and consis ts of equations

chosen from the o r i g i n a l system. We w i l l assume t h a t such a smaller

system cons i s t ing of \xQ\ + \ K ~ I - 1 equations can be ob-

tained from the o r i g i n a l system nithout any s ignif icant computational

e f f o r t .

a r a t i o n a l formula fo r P'l reduces to solving t h i s smaller system of

\IfQ\ + \%\ - 1 l i n e a r equations In \K \ + \K,\ unknowns, which takes

a t most approximately ( \ K \ + \$\ ) 3/3 operations.

IK,1 + I % ] > 2n/3, we conclude that it takes a t most approximately

( z n ) / 3 operat ions t o determine a r a t iona l formula f o r p'l of t h e kind

described above.

Then the determination of the coeff ic ients wQ(k) and wB(k) I n

Q Hence, s ince Q

6. Cryptanalysis by f ind ing a traDdoor seauence

The l a s t method of cryatanalysis t ha t we consider cons i s t s of

using the publ ic key f o r a given enciphering permutation P t o d e t e r -

mine a trapdoor sequence f o r it. we consider two ways of f i nd ing such

a sequence: first by exhaustive search, and second by solving the

system of equa t ions (2 .6 ) a lgeb ra i ca l ly . We descr ibe haw each of t hese

approachs might be c a r r i e d o u t and we give e s t i n a t e s of the amounts of

comuutation required.

The most e f f i c i e n t exhaust ive search procedure f o r f ind ing a t r ap -

door sequence f o r P appears t o be as follows. F i r s t , choose the ele-

ments e l , e2 of t h e sequence t o be any convenient basis of GF(2S) over

GF(2y). Next, test one-by-one bases b l , ..., bq of G P ( P ) over GF(Zy)

un t i l a basis I s found which is the b l* ..., b4 pa r t of a t rapdoor

sequence f o r P whose e l , e2 elements a re the ones Jus t chosen. To

t e s t a given basis bl* ..., bq f o r t h i s property, l e t the GF(21/)-linear

func t ions T1 and T2 be def ined i n terms of bl, ..., b4, el , e2 as de-

scr ibed i n s e c t i o n 3 , end so lve f o r the c o e f f i c i e n t s bik in the poly-

nomial formulas f o r t h e s e func t lons given by equation ( 2 . 5 ) . N e x t ,

f i nd a l l the s a l u t i o n s for t h e elements aik In the system of equa t ions

( 2 . 6 ) . Note t h a t t hese s o l u t i o n s can be found by l i n e a r a lgeb ra , s inae

t h i s system Is l i n e a r i n the aik.

tem are then t e s t e d one-by-one to determine whether any of them is

such t h a t GF(2") can be expressed a s GF(2") = S1(GF(2')) + S2(CF(2')), where S1 and S2 are t h e GF(2 ) - l i nea r funct ions from GF(2") i n t o

GF(2") def ined i n terms of the elements aik by formula (2 .3 ) . Now the

bas i s b l , ... , b4, uhlch Is bein8 t e s t e d f a r t;le property of being the

b l , ..., b4 p a r t of a t r audaor sequence f o r P whose e l , e2 elements

a rc the mes ahosen. h a s t h i s property i f and only i f there e x i s t s a

s e t e lements aik t h a t s a t i s f i e s the system of equat ions (2 .5 )

and t h a t s a t i s f l e s the cand l t ion s t a t e d above. As soon as such a bas i s

bl, ..., b4 and a s a t of elements a ik has been found, a complete

trapdoor sequence f o r P e m be produced. The 01, ..., b4, e l , e2 p a r t

has a l ready been Qb ta lned , and the a l , ..., ab per t of the sequence is

given by a J = s l ( e j ) , f o r 1 = 1, 7 , and by a j = S 2 ( e j m 2 ) , f o r j = 3, 4,

where t h e f u n c t i o n s Si are as described above.

The so lu t ions , i f any, of t h i s sys-

Y

of

A minimal s e t qf beses bl, ..., bb t h a t i s c e r t a i n t o con ta in a

79

basis of the desired kind Includes, f o r each d i f f e ren t enciphering

permutation, exac t ly one basis t h a t Is the b l , ..., b4 part of a t rap-

door sequence for t he permutation whose e , , e, elements are the ones

chosen. I t can

l y 23n-3 bases,

f ind a trapdoor

acr I bed above.

A L

be shown t h a t such a set of bases contains approximate-

so a t m D s t approximately 2 3 - 3 t r i a l s a r e required t o

sequence f o r P by the exhaustive search procedure de-

I t appears l i k e l y t h a t , for each basis bl , ..., b4

t e s t ed , e i t h e r t he re is no solut ion a t a l l fo r the elements aik, o r

else the basis Is the bl , ..., b4 par t of a trapdoor sequence f o r P of

the desired kind and the re i s only one solution f o r the elements alk.

I n view of t h i s , re w i l l canslder the testing of a single basis as be-

ing a s ingle operat ion. Thus we conclude that a t most approximately

2%-3 operations a r e n q u i r e d t o find a trapdoor sequence f o r P by the

exhaustive search procedure described above.

Final ly , we consider f inding a trapdoor sequence f o r a given enci-

phering permutation P by m l v l n g algebraical ly f o r a s e t of elements

aik and blk of GF(2") s a t i s f y i n g the system of equations ( 2 . 6 ) .

we note the connection between solut ions of t h i s system of equations

and trapdoor sequences f o r P .

GP( Zn) s a t i s f i e s t h i s system of equations and i f CF( Zry)-l1near func-

t i ons Si and TI from G P ( P ) i n t o GP(2") are defined i n terms of these

elements by equat ions (2.4) and ( 2 . 5 ) . respectively, then P can h ex-

pressed In terms of these funct ions by equation (2.3). Furthermore,

there e x i s t s a t r a d o o r sequence for P which spec l f l e s these fUnCtlon8

If and only I f t hese funct ions s a t i s f y the conditions

F i r s t ,

I f a set of elements alk and blk of

GF(2") = s1(GF(26)) Q S2(GP(26)) = ker(T1) 0 ker(TZ)

and GP(2') = range(T1) = range(T2).

l s f y these condi t ions and if el , e2 i s any basis of GF(26) over GF(2 1 ,

then a trapdoor sequence f o r p which specif ies these functions Is g1-n

by al, * * * 9

and, f o r j = 3, 4, a j = S 2 ( e j e 2 ) , and where, f o r j = 1, 2 , bJ Is t h e

I f the functions Si and TI sat- Y

b l V * . . T b4, e l , e2, where, for 3 = 1, 2 , a d = S l ( e j ) ,

80

u n i q u element of ker(T2) s a t i s f y i n g T l ( b j ) = e l , and, f o r j = 3, 4, b

lows t h a t the system of eauat ions (2.6) has many solutions f o r t he

elements aik and bik, since there Is a d i f f e ren t solut ion arising from

each d i f f e r e n t tramloor sequence for P having f i l e d el, e2 elements,

and there a re perhaps o the r so lu t ions as well t ha t do not a r i s e from

any traadoor sequence f o r p . we w i l l assume that a l l solut ions f o r

the elements aik and blk do I n f a c t a r i s e from trapdoor sequences f o r

P. Then, t o find a trapdoor sequence f o r P, it su f f i ces to f i n d a

s ingle solut ion oi the system of equations (2.6) f o r the elements aik

is the unique element of ker(T1) sat isfying T 2 ( b J ) = eJ-2. It f o l - l

and bike

In order t o es t imate the amount of computation requlred t o solve

t h i s system of equations a lgeb ra i ca l ly , I t is f i r s t necessary t o deter-

mine the most e i f i c i e n t method of algebraic solution. A s already

noted, t h i s system of equations is l i n e a r In the elements aik.

it appears that t h e most e f f i c i e n t way to solve t h i e system is t o first

simplify it as much as possible by eliminating these unknowns. This

I s exact ly the method t h a t uas used by Berkovits and by James, L i d l ,

and Nlede r re l t e r t o solve the corresponding system of equations asaoa-

i a t ed wlth the o r i g i n a l vers ion of our cipher. It was i n t h i s way t h a t

they broke t h a t c inher .

Hence

For the system of equations (2.6), there are many posslble ways

i n which the unlmoms air can be eliminated, and each of these ways

must be t r i e d i n order t o find the best way of simplifying the system.

Unfortunately, to t r y a l l t hese ways would require a forbidding amount

of camputation, although it could probably be done f a i r l y e a s i l y Using

a su i t ab le computer algebra system. To get around these d i f f i c u l t i e s

In analyzing t h i s system of equations, we consider instead a d i f f e r e n t

system of equat ions that presumably require8 l e s s computation t o solve.

T h i s system of equations is associated with a c l a s s of permutations of

GP( 2”) t h a t are somewhat simpler than the enciphering permutations used

81

i n our ciaher but which have the same general structure. These simpler

permutations are obtained by modifying the enciphering permutation con-

s t ruc t ion described i n sec t ion 2 by changing the relat ionship between

6 and Y from 6 = 2Y t o 8 = Y. The e f f ec t of t h i s change 1s t o convert

the polynomial formulas (2 .4 ) and ( 2 . 5 ) f o r the functions S i and Ti

from 2 t e rns t o 1 term and from 4 terms to 2 terms, respectively.

The r e s u l t i n g permutation p i s then given by a polynomial formula hav-

iw J u s t 4 terms, r a t h e r than 16 terms as in our cipher. The system

of equations t h a t mrresponds t o the system of equations (2.6) and t h a t

r e l a t e s the polynomial c o e f f i c i e n t s Pgh of P t o the polynomial coe f f i -

Now we aonsider how t h i s system of equations can be solved. Note

that, l i k e the more complicated system of equations (2.61, the above

system of equations I s l i n e a r i n the unknowns a10 and a20. Hence I t

appears t h a t the most e f f i c i e n t way t o solve t h i s system is t o first

simplify I t as much as possible by eliminating these unlmowns. Of t he

various uays t o do t h i s , the best way appears t o be one that leads

f a i r l y d i r e c t l y t o a s ing le polynomial equation B(B1) = 0 of degree

228 + 1 i n the s i r q l e unknown B1 = blo/bll.

of camnutation r equ i r ed t o solve t h i s equation is a t l e a s t the amount

required t o compute the g r e a t e s t camman divisor of the polgnomials

B(B1) and B12” - B1.

e t i ons , which is approximately d 2 / 3 I n - l operations.

amount as our est imate of the amount of computation required t o f i n d a

trapdoor sequence by solving the system of equations (2.6) a lgebra i -

cally.

I t appears t h a t the amount

This r equ i r e s approximately deg(R(Bl))2/ 2 opcr-

We wi l l take t h i s

An obvious quest ion n3w a r i s e s . Since the estimate J u s t given is

based s o l e l y on t h e p r o p e r t f e s of the corresponding system of tXlmtlons

f o r the slmbler permutations described above, why not use theee simpler

permutations as enciphering permutations? Unfortunately, t h i s cann3t

82

be done. The reason f o r t h i s i s tha t , for such enciphering permuta-

t ions. the deciahering permutations can be expressed by a r a t i o n a l

formula corresponding t o t h e r a t i o n a l formula described i n sec t lon 5

f o r the deciphering permutations used i n our cipher, and there are at

most 12 terms In t h i s formula. Thus, as indicated i n section 5 , t h e

coe f f i c i en t s i n t h i s formula can be determined by Qlng a t most approx-

imately 123/3 operat ions. T h i s number of operations Is f a r too amall

t o provide any s e c u r i t y , and hence the simpler permutations described

above cannot be used as enciphering permutations.

7. Summary of the c ryp tana ly t i c a t t a c k s and conclusions

The following t a b l e summarizes the estimates of the amounts of

camvutation required by the various aryptanalyt ic a t tacks discussed

in sect ions 4 - 6.

method of a t t a c k

1. solving the equation P(x)= y:

a. by exhaustive search 2 ( 3/4)n

2 ( 11/6)n-1 b. a lgeb ra i ca l ly

2. f inding a formula f o r P":

a. polynomial

b. rational

3. f inding a tramloor sequence:

a. by exhaustive search

b. a lgeb ra i ca l ly

According b the above t a b l e , the mast effect ive a t t ack

against our c ipher is t o solve algebraical ly f o r a trapdoor sequence

for the enciaherlng permutation. This a t t ack Is estimated to r e q u i r e

at most 2(2/3)n-1 operat ions, so the block-length n of the cipher must

be chosen so t h a t t h i s amount of mmputatlon Is unfeasible. we rill

a3

assume , somewhat arb1 t r a r i l y , t h a t the maximum feaai ble amount of

cornbutation is the number of operations performed by a computer that

does lo9 operat ions per second f o r a period of 10 years.

t o a t o t a l of 3 x lo1? operat ions. W e multiply t h i s by a sa fe ty f a c t o r

of 1012 t o a r r i v e a t the f i g u r e of 3 I: 1029 operations as an unfeasible

amount of mmDutation. Hence the block-length n must be such t h a t

2(2’3)n-1 2 3 x l o z 9 C 298.

length f o r bur cipher is n ? 150.

T h i s amounts

Thus we conclude that a su i t ab le block-

References

1. Shlmshon Berkovits (Uni. of Lowell, Dept. of Computer Science) , pr ivate communication, A u g . , 1985.

2. John J. Cade, A new public-key cipher which allows signatures, t a l k given a t the Second S.I.A.M. Conference on Applied Linear Algebra, Raleigh. NC, Apr. 30 - May 2 , 1985.

3. N. S. James, R . L l d l , and H. Niederrei ter , Breaking the Cade c iphe r , prear int , 1986.